docs: DOC-295: Add docs for proxy storage

caitlinwheeless · caitlinwheeless · commit 6a28dc8dae2e · 2025-05-20T11:13:03.000-05:00
diff --git a/docs/source/guide/storage.md b/docs/source/guide/storage.md
@@ -67,6 +67,94 @@ Source storage functionality can be divided into two parts:
 
 <img src="/images/source-cloud-storages.png" class="make-intense-zoom">
 
+#### Pre-signed URLs vs. storage proxies
+
+There are two secure mechanisms in which Label Studio fetches media data from cloud storage: via proxy and via pre-signed URLS. 
+
+Which one you use depends on whether you have **Use pre-signed URLs** toggled on or off when setting up your source storage. Proxy storage is enabled when **Use pre-signed URLs** is OFF:
+
+![Screenshot of storage page with use pre-signed off](/images/storages/use-presigned-off.png)
+
+##### Proxy storage
+
+When in proxy mode, the Label Studio backend fetches objects server-side and streams them directly to the browser.
+
+![Storage diagram proxy](/images/storages/storage-proxy.png)
+
+This has multiple benefits, including:
+
+- **Security**
+    - Access to media files is further restricted based on Label Studio user roles and project access. 
+    - This access is applied to cached files. This means that even if the media is cached, access will be restricted to that file if a user's access to the task is revoked.  
+    - Data stays within the Label Studio network boundary. This is especially useful for on-prem environments who want to maintain a single entry point for their network traffic.
+- **Configuration**
+    - No CORS settings are needed. 
+    - No pre-signed permissions are needed. 
+
+To allow proxy storage, you need to ensure your permissions include the following: 
+
+{% details <b>AWS S3</b> %}
+
+```json
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Effect": "Allow",
+            "Action": [
+                "s3:GetObject",
+                "s3:ListBucket"
+            ],
+            "Resource": [
+                "arn:aws:s3:::your-bucket-name",
+                "arn:aws:s3:::your-bucket-name/*"
+            ]
+        }
+    ]
+}
+
+```
+
+{% enddetails %}
+
+<br>
+
+{% details <b>Google Cloud Storage</b> %}
+
+- `storage.objects.get` - Read object data and metadata
+- `storage.objects.list` - List objects in the bucket (if using prefix)
+
+{% enddetails %}
+
+<br>
+
+{% details <b>Azure Blob Storage</b> %}
+
+Add the **Storage Blob Data Reader** role, which includes:
+- `Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read`
+- `Microsoft.Storage/storageAccounts/blobServices/containers/blobs/getTags/action`
+
+{% enddetails %}
+
+<br>
+
+!!! note Note for on-prem deployments
+    Very large media files are streamed in sequential 8 MB chunks, which are split into different GET requests. This can result in frequent requests to the backend to get the next portion of data and uses additional resources.
+
+    You can configure this using the following environment variables:
+
+    * `RESOLVER_PROXY_MAX_RANGE_SIZE` - Defaults to 8 MB, and defines the largest chunk size returned per request. 
+    * `RESOLVER_PROXY_TIMEOUT` - Defaults to 20 seconds, and defines the maximum time uWSGI workers spend on a single request.
+
+
+##### Pre-signed redirect
+
+In this scenario, your browser receives an HTTP 303 redirect to a time-limited S3/GCS/Azure URL. This is the default behavior. 
+
+![Screenshot of storage page with use pre-signed off](/images/storages/storage-proxy-presigned.png)
+
+The main benefit to using pre-signed URLs is if you want to ensure that your media files are isolated from the Label Studio network as much as possible. 
+
 #### Treat every bucket object as a source file
 
 Label Studio Source Storages feature an option called "Treat every bucket object as a source file." This option enables two different methods of loading tasks into Label Studio.
@@ -178,7 +266,6 @@ When enabled, Label Studio automatically lists files from the storage bucket and
 
 <img src="/images/source-storages-treat-on.png" class="make-intense-zoom">
 
-
 ### Target storage
 
 When annotators click **Submit** or **Update** while labeling tasks, Label Studio saves annotations in the Label Studio database. 
